On 20/03/11 16:29, Marc Perkel wrote:
Just throwing this out there to see if people like this rule and if you
would like to improve it. Bank phishing usually involves a lot of
phrases to get you to give up your information. This rule looks for 5
matches out of the following list.
Hi Marc,
I get hit with a lot of bank phish and had tried this approach. In the
end I gave up as I found it not very effective.
For me, a far more effective approach was to compile a list of bank and
bank-like domains that bank phish is typically sent from and to score
them at 6 points. Easy, job done.
Seriously, I see very little legitimate mail from banks, and what I do
see is almost never sent from the primary domain (e.g, bank.com) but
always from a subdomain such as *.email.bank.com. Conversely, nearly all
phishing attempts I see are sent from the primary domain (e.g,
bank.com). If you block or score @bank.com you will instantly stop most
bank phish with very few FPs.
Further, those banks that use SPF and/or dkim sign their mail can be
added to whitelist_from_spf and whitelist_from_dkim etc. As it's
difficult to determine information on SPF/DKIM records without examples
of ham this would benefit from a community effort.
So what I would propose is firstly a list of all banking domains and
secondly a list of faked banking-type domains used for phish. A freemail
type plugin for this might be useful (bankmail maybe)? Score those as
you see fit
Then lets keep a whitelist of SPF and dkim for bank domains. Score the
whitelist to counteract the score you just added to mail from a banking
domain.
So by default you now only accept mail from whitelisted banks (by SPF
and/or DKIM).
In the interests of sharing, here are my rules. I'm sure they could be
improved with community input but with these I've never felt the need to
filter on actual content which IMHO is far more troublesome.
header LOCAL_FROM_BANK From:addr =~
/\@(abbey|abbeyinternational|abbeynational|allianceleicester|alliance-leicester|bankofamerica|barclays|cahoot|cbonline|citibank|cooperativebank|co-operativebank|cooperative-bank|egg|eggconnect|firstdirect|halifax|halifax-online|hbos|hsbc|hsbcgroup|lloydstsb|mbna|natwest|nationwide|newegg|new\.egg|northernbank|nwolb|rbs|santander|santandercards|smile|woolwich|ybonline|zenithbank)\.(com|co\.uk)/i
score LOCAL_FROM_BANK 6
describe LOCAL_FROM_BANK From a bank domain
# Domains that are not banks but are used for phishing
# NOTE: some of these domains belong to legitimate companies
header LOCAL_FROM_NOT_BANK From:addr =~
/\@(abbey-online|abbeyonlinebanking|abbeyresourcing|abbeysecure|alliance|business-hsbc|co-operative-bank|eggbank|hsbcbanking|hsbc-?online|leicester|lloyds|lloydstsb-?online|llyodstsb|lloydstsbsecure|natiownide|neweggbank|onlinehsbc|santandergroup)\.(com|co\.uk)/i
score LOCAL_FROM_NOT_BANK 12
describe LOCAL_FROM_NOT_BANK From not-a-bank phishing domain
header LOCAL_FROM_BANK_NET From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-?online|abbeyonlinebanking|abbeyresourcing|abbeysecure|alliance|alliance-?leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-?operative-?bank|egg|eggbank|eggconnect|firstdirect|halifax|halifax-?online|hbos|hsbc|hsbcbanking|hsbcgroup|hsbc-?online|leicester|lloyds|lloydstsb|lloydstsb-?online|llyodstsb|mbna|natwest|nationwide|newegg|new\.egg|neweggbank|northernbank|nwolb|onlinehsbc|rbs|santander|santandercards|santandergroup|smile|woolwich|ybonline|zenithbank)\.net/i
score LOCAL_FROM_BANK_NET 12
describe LOCAL_FROM_BANK_NET Banks don't usually send from .net
# Starting to see popular banking domains spoofed as secure-hsbc.com etc
header LOCAL_FROM_SECURE_BANK From:addr =~
/\@secure-(abbey|abbeyinternational|abbeynational|abbey-?online|abbeyonlinebanking|abbeyresourcing|abbeysecure|alliance|alliance-?leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-?operative-?bank|egg|eggbank|eggconnect|firstdirect|halifax|halifax-?online|hbos|hsbc|hsbcbanking|hsbcgroup|hsbc-?online|leicester|lloyds|lloydstsb|lloydstsb-?online|llyodstsb|mbna|natwest|nationwide|newegg|new\.egg|neweggbank|northernbank|nwolb|rbs|santander|santandercards|santandergroup|smile|woolwich|ybonline|zenithbank)\.(com|co\.uk|net)/i
score LOCAL_FROM_SECURE_BANK 12
describe LOCAL_FROM_SECURE_BANK From a secure-bank domain
header LOCAL_FROM_BANK_OBF From:addr =~
/\@(abbey|abbeyinternational|abbeynational|abbey-?online|abbeyonlinebanking|abbeyresourcing|abbeysecure|alliance|alliance-?leicester|bankofamerica|barclays|cahoot|cbonline|citibank|co-?operative-?bank|egg|eggbank|eggconnect|firstdirect|halifax|halifax-?online|hbos|hsbc|hsbcbanking|hsbcgroup|hsbc-?online|leicester|lloydstsb|lloydstsb-?online|llyodstsb|mbna|natwest|nationwide|newegg|new\.egg|neweggbank|northernbank|nwolb|paypal|rbs|santander|santandercards|santandergroup|secure-cahoot|secure-halifax|secure-hsbc|smile|woolwich|ybonline|zenithbank)[-a-zA-Z0-9]{1,4}\.(com|co\.uk|net)/i
score LOCAL_FROM_BANK_OBF 12
describe LOCAL_FROM_BANK_OBF From an obfuscated bank-like domain
header LOCAL_FROM_FIN_INST From:addr =~
/\@(bankofengland|fsa|hmrc)\.(com|co\.uk|gov\.uk|net)/i
score LOCAL_FROM_FIN_INST 3
describe LOCAL_FROM_FIN_INST From other financal institution
And here are some of my SPF/DKIM rules for commonly phished institutions:
whitelist_from_dkim *@paypal.com
whitelist_from_dkim *@*.paypal.com
whitelist_from_dkim *@* paypal.com
whitelist_from_dkim *@paypal.co.uk
whitelist_from_dkim *@*.paypal.co.uk
whitelist_from_dkim *@* paypal.co.uk
# Banks
whitelist_from_dkim *@alert.bankofamerica.com
whitelist_from_dkim *@bankofamerica.com
whitelist_from_dkim *@barclays.com
whitelist_from_dkim *@*.barclays.com
whitelist_from_dkim *@barclays.co.uk
whitelist_from_dkim *@*.barclays.co.uk
whitelist_from_dkim *@lloydstsb.com
whitelist_from_dkim *@*.lloydstsb.com
whitelist_from_spf *@citibank.com
whitelist_from_spf *@*.citibank.com
whitelist_from_spf *@citicorp.com
whitelist_from_spf *@*.citicorp.com
whitelist_from_spf *@citigroup.com
whitelist_from_spf *@*.citigroup.com
whitelist_from_spf *@natwest.com
whitelist_from_spf *@*.natwest.com
# Blacklist examples
# ebay
header __LOCAL_FROM_EBAY Return-Path:addr =~ /\@ebay\.co\.uk/i
meta LOCAL_SPF_EBAY ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_EBAY)
score LOCAL_SPF_EBAY 12
describe LOCAL_SPF_EBAY eBay SPF Fail
# egg
header __LOCAL_FROM_EGG Return-Path:addr =~ /\@egg\.co\.uk/i
meta LOCAL_SPF_EGG ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_EGG)
score LOCAL_SPF_EGG 12
describe LOCAL_SPF_EGG EGG SPF Fail
# facebook
header __LOCAL_FROM_FBOOK Return-Path:addr =~
/\@facebookmail\.com/i
meta LOCAL_SPF_FBOOK ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_FBOOK)
score LOCAL_SPF_FBOOK 12
describe LOCAL_SPF_FBOOK Facebook SPF Fail
# firstdirect
header __LOCAL_FROM_FD Return-Path:addr =~
/\@e?mail.firstdirect.com$/i
meta LOCAL_SPF_FDIRECT ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_FD)
score LOCAL_SPF_FDIRECT 12
describe LOCAL_SPF_FDIRECT First Direct SPF Fail
# Let's remove the @ and try for all sub-domains. 21/7/10
# hsbc
header __LOCAL_FROM_HSBC Return-Path:addr =~
/hsbc\.(com|co\.uk)$/i
meta LOCAL_SPF_HSBC ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_HSBC)
score LOCAL_SPF_HSBC 12
describe LOCAL_SPF_HSBC HSBC SPF Fail
#natwest
header __LOCAL_FROM_NATWEST Return-Path:addr =~ /natwest\.com$/i
meta LOCAL_SPF_NATWEST ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_NATWEST)
score LOCAL_SPF_NATWEST 12
describe LOCAL_SPF_NATWEST Natwest SPF Fail
# paypal
header __LOCAL_FROM_PAYPAL Return-Path:addr =~ /\@paypal\.co\.uk/i
meta LOCAL_SPF_PAYPAL ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_PAYPAL)
score LOCAL_SPF_PAYPAL 12
describe LOCAL_SPF_PAYPAL Paypal SPF Fail
# smile
header __LOCAL_FROM_SMILE Return-Path:addr =~ /\@smile\.co\.uk/i
meta LOCAL_SPF_SMILE ((SPF_SOFTFAIL || SPF_FAIL) &&
__LOCAL_FROM_SMILE)
score LOCAL_SPF_SMILE 12
describe LOCAL_SPF_SMILE Smile SPF Fail
